Slow Android Phone Patching Prompts Vulnerability Report

A security researcher disclosed vulnerabilities in Samsung smartphones this week with the intention of highlighting the slow rate at which flaws are fixed in mobile devices.

In a March 19 blog post, security researcher Roberto Paleari described four vulnerabilities found in various Samsung devices based on the Android operating system. The researcher informed Samsung of the issues in early January, but decided to publicly disclose the vulnerabilities because the device manufacturer intended to wait until all network carriers approved the patch, which "seems to be a very, VERY, long time," Paleari said.

While most researchers and security firms allow software makers at least 90 days to develop and deploy a patch, he disclosed early, instead choosing to withhold the technical details of the flaws.

"I really think Samsung cares about the security of its customers, but probably its vulnerability-handling procedure should be revised a little bit," Paleari stated in the blog post. "Android malware is ... rapidly growing. In this situation, the prompt development and diffusion of security patches is simply mandatory."

Paleari emphasized that the vulnerabilities are in Samsung's modifications to the Android operating system, not the core operating system itself. In response to an email from eWEEK, Samsung did not give a timetable for fixing the vulnerabilities, but said a patch would come soon.

"Samsung considers user privacy and the security of user data its top priority," the company stated in the email. "We are aware of this issue and will release a fix at the earliest possibility."

Two of the vulnerabilities could allow an attacker to install highly privileged applications without requiring any action on the part of the user. A third issue allows an attacker to take almost any action on a phone, while the fourth allows an attacker to send a Short Message Service (SMS) communication. A variety of other issues could allow a malicious program to change different settings on the victim's phone.

The vulnerabilities did not take a great amount of technical knowledge to find. Paleari theorized that malware authors may have already found some of them.

"Considering that most of these bugs can be fixed quite easily, without any drastic change to the device software, I admit that I was expecting a quick patch from Samsung," he said.

The main problem is that the patch process for any mobile device that uses a cellular network is fairly complicated. First, a patch for the vulnerability must be created by the software maker, whether that developer is Google, who manages the core operating system, an open-source project or the device manufacturer. Next, the device manufacturer must rebuild the firmware for each device model, to incorporate the changes, and then test each variation. Finally, the cellular carrier must approve the firmware to make sure it will not cause any disruption.

The entire process takes months, resulting in most users' phones having unpatched vulnerabilities. Only 20 percent of Android phones, for example, are running the latest version of the operating system, known as Jelly Bean.